Due to the proliferation of scenarios and edge cases in real world driving, virtual testing is an important component of autonomous system development along with real world tests. However, the industry needs to share common methodologies for how simulation is used for this purpose and how simulation standards interact with existing frameworks for safety critical development. In this post, the Applied team shares how simulation fits into frameworks for building safety critical systems, recent standardization efforts around this technology, and the requirements for simulation tools to support this use case.
Two common frameworks relevant for automotive safety development are SOTIF and ISO 26262. While ISO 26262 is about functional safety, which is the reduction of safety risks from known component failures, the Safety of the Intended Functionality (SOTIF) is about ensuring the safety of a functionality for unforeseen scenarios that might be encountered by the system. Both of these need to be considered carefully to develop a safe autonomous driving system.
ISO 26262 has traditionally been used to develop safety systems and it lays out functional safety requirements aimed to prevent unreasonable risks due to system faults. The V-cycle development process (Figure 1) is a reference model for the product development cycle and ISO 26262 recommends the use of simulation at each level of the V-diagram. The evaluation of requirements, fault injection, and performance testing should be executed during unit and integration tests, while system testing calls for the hardware-in-the-loop (HIL) simulation to verify that software operates correctly on target hardware. Across all of these, simulations should cover dangerous situations broadly and make use of randomized tests to assess unknown risks.
Due to a range of hazardous edge cases that might be encountered in autonomous driving, a relatively new standard based on SOTIF has emerged and attempts to ensure safe system operation in unexpected scenarios even in the absence of obvious system faults. SOTIF analysis should include the use of simulations for identifying hazards, root causes for issues, and how they relate to overall weaknesses of the autonomous system (Figure 2). Since many of these arise from corner cases, a vast number of scenarios needs to be tested given the complexity of real world driving. Therefore, simulation platforms need to support the creation and testing of millions of scenarios quickly.
As more OEMs use third-party specialized simulation tools, it’s important that there are standards to enable interoperability with a variety of tools used in their overall autonomous vehicle development process. ASAM OpenX standards consist of OpenDRIVE, which defines a file format for the description of road networks (i.e. maps) and OpenSCENARIO, which defines a file format for the description of the dynamic content in simulation (i.e. driving maneuvers). These standards bring a number of benefits for developers, including but not limited to:
A simulation platform for AV development needs to be custom-built in order to support the testing based on standards described above. Some of the key requirements include:
Applied has developed a simulation platform that supports the key requirements outlined above and adheres to the available industry standards for simulation. As a member of ASAM, Applied is also involved in initiatives related to these simulation standards. Automotive developers worldwide are using Applied’s tools to develop safety systems based on the frameworks described in this article. Simulation continues to be a key aspect of measuring safety of these systems and Applied continues to work closely with the industry on this challenge.